Plug and Pray? Virta Labs Using Power Analysis to Spot IoT Compromises

A new startup, Virta Labs, says its PowerGuard device can detect malicious software infections by studying power consumption – an approach with applications on the Internet of Things.

In-brief: A start-up, Virta Laboratories, says that its new PowerGuard technology can spot malicious software infections on any device by studying changes in how it consumes electricity. The technology has big implications for managing risk on the Internet of Things.

Virta Laboratories, a two year-old start-up, has developed a new technology that it claims will solve one of the most pressing security problems facing the Internet of Things: how to monitor for security threats across a large and diverse population of endpoints.

The company this month introduced a new device, dubbed PowerGuard, that it says can spot malicious software running across a wide range of devices by studying the patterns of power consumption on those devices. The device is in beta deployment now.

Virta Labs is the creation of a team of researchers including Professor Kevin Fu of the University of Michigan, a leading expert on the security of medical devices and Denis Foo Kune, a former postdoctoral researcher at the University of Michigan’s department of Computer Science and Engineering. In a write up on the University of Michigan’s web page, the company’s product is described as an otherwise unremarkable power outlet that contains “embedded intelligence (that) detects when an infected device is plugged into the outlet by analyzing subtle power consumption patterns.”*

The technology addresses one of the big challenges of the next decade. Namely: how to monitor and manage security threats across the much larger and more diverse population of endpoints engendered by the Internet of Things. Simply put: the security industry has been nurtured and has matured in a software monoculture dominated by one operating system (Microsoft’s Windows) and a relatively small population of endpoint types (desktops, laptops, application servers and, more recently, smart phones) and protocols. Security software and hardware – from antivirus software to intrusion detection system software – have evolved to address threats within that narrow spectrum.

But the future looks nothing like the past – as a quick scan of the headlines out of conferences like Black Hat, DEFCON and USENIX illustrate. From connected vehicles to drones and medical devices, the future threat landscape offers a much larger and more diverse population of endpoints – and threats- than has been the case for the last two decades.

The problems that result from that are already starting to appear. Researchers Chris Valasek and Charlie Miller demonstrated a wireless attack on a Jeep Cherokee that could be used to control critical vehicle functions like steering and braking. The Online Trust Alliance last week proposed new, voluntary standards that device makers can use to ensure the security of their creations over the long term, including the security of connected home and health technologies. Also, the FDA took the unusual step of advising hospitals not to use drug infusion pumps by the firm Hospira following research that revealed the devices were easily susceptible to hacking and compromise. Healthcare security experts say they expect more advisories like that are on the horizon.

“For years, manufacturers of medical devices depended on the ‘kindness of strangers’ assuming that devices would never be targeted by bad actors,” wrote John Halamka, the Chief Information Officer at Boston’s Beth Israel Deaconess Hospital shortly after the FDA announcement. “EKG machines, IV pumps, and radiology workstations are all computers, often running un-patched old operating systems, ancient Java virtual machines, and old web servers that no one should currently have deployed in production.”

Fu of VirtaLabs agreed that the FDA announcement on the Hospira pumps was a watershed moment and that organizations in healthcare are increasingly concerned about their ability to monitor sensitive medical devices and instruments that are on their network.

In a demonstration at the recent Black Hat Briefings in Las Vegas, Fu demonstrated for Security Ledger how PowerGuard could note the execution of malicious code in changes in the power consumption patterns of a device plugged into the PowerGuard outlet device. A dashboard accessible via Virta Lab’s cloud-based management console noted sudden changes in the pattern of power use as the malware was opened and began installing itself on the device and could send an alert to an IT administrator or other staff.

Currently, few connected health devices are actively monitored for malicious or just suspicious activity, meaning that malicious actors can linger for months or longer on these devices, experts agree.

The PowerGuard device is limited to monitoring and could not block an infection. However, using it could greatly narrow the window of opportunity that an attacker would have to establish a foothold in a sensitive environment subsequent to compromising a device, Fu said.

The devices would also help spot changes in a device’s operation that may be unrelated to malicious activity, helping hospitals, manufacturing firms and the like identify hardware that is in need of servicing. And, because the device doesn’t require software or hardware to be installed on the actual device, it is easier for healthcare organizations to deploy it without being concerned that it will interfere with the operation of the device that is being monitored.

Virta Labs isn’t the first firm to offer power analysis as a solution for organizations’ security monitoring problem. PFP Cybersecurity, a Vienna, Virginia-based company, unveiled a similar technology at the S4 Conference in January. Like Virta Labs, PFP says that its software can identify malicious software infections and other abnormalities on critical systems by observing fluctuations in their power use.

While promising, power analysis is a technology with limitations, Fu and others acknowledge. Currently, PowerGuard devices can only be deployed in a 1:1 ratio to monitored devices – a potentially expensive proposition for facilities with hundreds or even thousands of devices to monitor and manage.

(*) Correction: An earlier version of this story described Dr. Denis Foo Kune as a postdoctoral researcher at the University of Michigan’s department of Computer Science and Engineering. Dr. Foo Kune is a former postdoctoral researcher in that department. The story has been corrected. – PFR 8/18/2015.